<html>
<META http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<head>
<title>Section 13.4.&nbsp; Using Auth_HTTP to Authenticate</title>
<link rel="STYLESHEET" type="text/css" href="images/style.css">
<link rel="STYLESHEET" type="text/css" href="images/docsafari.css">
<script type="text/javascript"><!--
google_ad_client = "pub-0203281046321155";
google_alternate_ad_url = "http://www.bookhtml.com/adbrite.htm";
google_ad_width = 728;
google_ad_height = 90;
google_ad_format = "728x90_as";
google_ad_type = "text_image";
google_ad_channel ="4867465545";
google_color_border = "FFFFFF";
google_color_link = "0000FF";
google_color_bg = "FFFFFF";
google_color_text = "000000";
google_color_url = "0000FF";
//--></script>
<script type="text/javascript"
  src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script>
</head>
<body>
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr><td><div STYLE="MARGIN-LEFT: 0.15in;">
<a href=learnphpmysql-CHP-13-SECT-3.html><img src="images/prev.gif" width="60" height="17" border="0" align="absmiddle" alt="Previous Page"></a>
<td align="right"><div STYLE="MARGIN-LEFT: 0.15in;">
<a href=learnphpmysql-CHP-13-SECT-5.html><img src="images/next.gif" width="60" height="17" border="0" align="absmiddle" alt="Next Page"></a>
</div></td></tr></table>
<br><table width="100%" border="0" cellspacing="0" cellpadding="0"><tr><TD valign="top"><a name="learnphpmysql-CHP-13-SECT-4"></a>
<h3 id="title-IDAHV1EF" class="docSection1Title">13.4. Using Auth_HTTP to Authenticate</h3>
<p class="docText">Similar to the way you use PEAR to improve and simplify database access, there's also a PEAR module called <tt>Auth_HTTP</tt> that streamlines the process of authenticating users against a database table. Because the code is prewritten, it reduces the risk that you'll make a mistake when authenticating users. You may notice that there's also a module called <tt>Auth</tt>. This module is similar to <tt>Auth_HTTP</tt>, except it displays the login screen using an HTML page instead of the pop-up authentication that <tt>Auth_HTTP</tt> uses.</p>
<p class="docText">As far as how it looks, the user can't tell that there is a difference between using the manually applied HTTP authentication dialogs that were previously used in this chapter and the <tt>Auth_HTTP</tt> module.</p>
<p class="docText">If you haven't already installed the <tt>Auth_HTTP</tt> module, you can do so by entering <tt>pear install Auth</tt> from the command line. But you must be logged in as <tt>root</tt> on a Unix host to do it. The <tt>pear install Auth</tt> command displays <a class="docLink" href="#learnphpmysql-CHP-13-EX-17">Example 13-17</a>.</p>
<a name="learnphpmysql-CHP-13-EX-17"></a><h5 id="title-IDANW1EF" class="docExampleTitle">Example 13-17. pear install Auth output</h5><p><table cellspacing="0" width="90%" border="1" cellpadding="5"><tr><td>

<pre>
downloading Auth-1.2.3.tgz ...
Starting to download Auth-1.2.3.tgz (24,040 bytes)
........done: 24,040 bytes
Optional dependencies:
package `File_Passwd' version &gt;= 0.9.5 is recommended to utilize some features.
package `Net_POP3' version &gt;= 1.3 is recommended to utilize some features.
package `MDB' is recommended to utilize some features.
package `Auth_RADIUS' is recommended to utilize some features.
package `File_SMBPasswd' is recommended to utilize some features.
install ok: Auth 1.2.3
</pre><br>

</td></TR></table></p>
<p class="docText">If you follow the code in <a class="docLink" href="#learnphpmysql-CHP-13-EX-17">Example 13-17</a> with <tt>pear install Auth_HTTP</tt>, you'll get the output found in <a class="docLink" href="#learnphpmysql-CHP-13-EX-18">Example 13-18</a>.</p>
<a name="learnphpmysql-CHP-13-EX-18"></a><H5 id="title-IDAFX1EF" class="docExampleTitle">Example 13-18. pear install Auth_HTTP output</H5><p><table cellspacing="0" width="90%" border="1" cellpadding="5"><TR><td>

<pre>
downloading Auth_HTTP-2.1.6.tgz ...
Starting to download Auth_HTTP-2.1.6.tgz (9,327 bytes)
.....done: 9,327 bytes
install ok: Auth_HTTP 2.1.6
</pre><br>

</td></TR></table></p>
<p class="docText">Now, <a class="docLink" href="#learnphpmysql-CHP-13-EX-19">Example 13-19</a> automates checking usernames and passwords against the database.</P>
<a name="learnphpmysql-CHP-13-EX-19"></a><h5 id="title-IDAWX1EF" class="docExampleTitle">Example 13-19. Using Auth_HTTP to authenticate a user</h5><P><table cellspacing="0" width="90%" border="1" cellpadding="5"><TR><td>

<pre>
&lt;?php
// Using Auth_HTTP to limit access
require_once('db_login.php');
require_once("Auth/HTTP.php");
// We use the same connection string as the pear DB functions
$AuthOpts = array(
'dsn' =&gt; "mysql://$db_username:$db_password@$db_host/$db_database",
'table' =&gt; "users", // your table name
'usernamecol' =&gt; "username", // the table username column
'passwordcol' =&gt; "password", // the table password column
'cryptType' =&gt; "md5", // password encryption type
);
$authenticate = new Auth_HTTP("DB", $AuthOpts);
// Set the realm name
$authenticate-&gt;setRealm('Member Area');
// Authentication failed error message
$authenticate-&gt;setCancelText('&lt;h2&gt;Access Denied&lt;/h2&gt;');
// Request authentication
$authenticate-&gt;start();
// compare username and password to stored values
if ($authenticate-&gt;getAuth()){
echo "Welcome back to our site ".$authenticate-&gt;username.".";
}
?&gt;
</pre><BR>

</td></tr></table></P>
<p class="docText">What's happening here is that we include the <tt>Auth_HTTP</tt> code with a <tt>require_once</tt> line. The <tt>AuthOpts</tt> array contains the parameters that define how you connect to the database, which table contains user information, and the exact fields to be checked. These parameters are listed in <a class="docLink" href="#learnphpmysql-CHP-13-TABLE-2">Table 13-2</a>.</P>
<a name="learnphpmysql-CHP-13-TABLE-2"></a><p><table cellspacing="0" FRAME="hsides" RULES="all" cellpadding="4" width="100%"><caption><h5 class="docTableTitle">Table 13-2. Auth options</h5></caption><colgroup span="3"><col><col><col></colgroup><thead><tr><th class="thead" scope="col" align="left"><p class="docText">Key</P></th><th class="thead" scope="col" align="left"><p class="docText">Description</p></th><th class="thead" scope="col" align="left"><p class="docText">Example</P></th></tr></thead><tr><TD class="docTableCell" align="left"><p class="docText">dsn</P></td><TD class="docTableCell" align="left"><p class="docText">The same database connect string that we used with PEAR DB</p></td><td class="docTableCell" align="left"><p class="docText">mysql://$db_username:$db_password@$db_host/$db_database</p></td></tr><tr><td class="docTableCell" align="left"><p class="docText">table</p></td><td class="docTableCell" align="left"><p class="docText">The database table that holds login information</p></TD><td class="docTableCell" align="left"><p class="docText">users</p></TD></TR><tr><TD class="docTableCell" align="left"><p class="docText">usernamecol</p></td><td class="docTableCell" align="left"><p class="docText">The database field that holds the username</P></td><TD class="docTableCell" align="left"><p class="docText">username</p></td></TR><TR><td class="docTableCell" align="left"><p class="docText">passwordcol</P></td><td class="docTableCell" align="left"><p class="docText">The database field that stores the possibly encrypted password</P></TD><td class="docTableCell" align="left"><p class="docText">password</p></td></tr><TR><td class="docTableCell" align="left"><p class="docText">cryptType</P></td><td class="docTableCell" align="left"><p class="docText">How the password is encrypted in the database</P></TD><td class="docTableCell" align="left"><p class="docText"><tt>none, md5</tt></P></td></tr><tr><td class="docTableCell" align="left"><p class="docText">dbFields</p></td><td class="docTableCell" align="left"><p class="docText">Which additional fields to retrieve from the login information table</p></td><td class="docTableCell" align="left"><p class="docText"><tt>*, first_name, user_id</tt></p></td></TR></table></p><br>
<p class="docText">Once you have the options set, use <tt>new</tt> to start a new authentication object. Reference the <tt>setRealm</tt> method to set the realm, start the authentication with <tt>start</tt>, and compare the results with <tt>getAuth</tt>. The method <tt>setRealm</tt> is used to set the name of the realm for HTTP authentication, and then it appears in the login box, which the browser displays.</P>
<p class="docText"><a class="docLink" href="#learnphpmysql-CHP-13-FIG-12">Figure 13-12</a> shows the authentication dialog before entering the username and password.</P>
<a name="learnphpmysql-CHP-13-FIG-12"></a><p><center>
<H5 class="docFigureTitle">Figure 13-12. We see our familiar authentication prompt before clicking OK</h5>
<img border="0" alt="" width="405" height="214" SRC="images/learnphpmysql_1312.jpg">
</center></p><br>
<p class="docText">Once validated against the values in the database, we see the page in <a class="docLink" href="#learnphpmysql-CHP-13-FIG-13">Figure 13-13</a>.</P>
<a name="learnphpmysql-CHP-13-FIG-13"></a><p><center>
<H5 class="docFigureTitle">Figure 13-13. Telling the user that she is logged in now</h5>
<img border="0" alt="" width="549" height="186" SRC="images/learnphpmysql_1313.jpg">
</center></p><BR>
<p class="docText">If you were to refresh this page, you wouldn't be prompted again for a username and password as long as your session stays active.</P>
<p class="docText">A second example retrieves more information from the <tt>users</tt> table if the username and password match, as shown in <a class="docLink" href="#learnphpmysql-CHP-13-EX-20">Example 13-20</a>.</p>
<a name="learnphpmysql-CHP-13-EX-20"></a><H5 id="title-IDA041EF" class="docExampleTitle">Example 13-20. Retrieving additional information for the user</h5><p><table cellspacing="0" width="90%" border="1" cellpadding="5"><TR><TD>

<pre>
&lt;?php
// Example of Auth_HTTP the also returns additional information
require_once('db_login.php');
require_once("Auth/HTTP.php");
// We use the same connection string as the pear DB functions
$AuthOptions = array(
'dsn'=&gt;"mysql://$db_username:$db_password@$db_host/$db_database",
'table'=&gt;"users", // your table name
'usernamecol'=&gt;"username", // the table username column
'passwordcol'=&gt;"password", // the table password column
'cryptType'=&gt;"md5", // password encryption type in your db
<b>'db_fields'=&gt;"*",</b> // enabling fetch for other db columns
);
$authenticate = new Auth_HTTP("DB", $AuthOptions);
// Set the realm name
$authenticate-&gt;setRealm('Member Area');
// Authentication failed error message
$authenticate-&gt;setCancelText('&lt;h2&gt;Access Denied&lt;/h2&gt;');
// Request authentication
$authenticate-&gt;start();
// compare username and password to stored values
if($authenticate-&gt;getAuth()){
echo "Welcome back to our site ".$authenticate-&gt;username.".&lt;br /&gt;";
echo "Your full name is ";
echo $authenticate-&gt;getAuthData('first_name');
echo " ";
echo $authenticate-&gt;getAuthData('last_name').".";
}
?&gt;
</pre><br>

</td></tr></table></P>
<p class="docText"><a class="docLink" href="#learnphpmysql-CHP-13-FIG-14">Figure 13-14</a> shows that the first and last names were also stored in the database and can now be used without doing a separate query. Any columns that were part of the <tt>users</tt> table can be accessed with <tt>getAuthData</tt> as long as <tt>db_fields</tt> is set to retrieve them all with <tt>"*"</tt>.</p>
<a name="learnphpmysql-CHP-13-FIG-14"></a><P><center>
<h5 class="docFigureTitle">Figure 13-14. We can now display more information from the users table without a new query</h5>
<img border="0" alt="" width="549" height="198" SRC="images/learnphpmysql_1314.jpg">
</center></P><BR>
<p class="docText">As you can see, using this module reduces the amount of manual interaction that's necessary to log in users against a database. This saves you time, because you don't need to construct a database query anymore. To make life even simpler, you could place the code from the last example into a separate <span class="docEmphasis">include</span> file placed at the beginning of each script that has restricted access. If the user is already logged in, it doesn't display anything but instead prompts the user for a password if she isn't logged in. That way, all your pages are protected with the same chunk of code.</p>
<p class="docText">We're going to move on to something very important: security. As you know, hackers, benign and malicious, are everywhere. Keeping your site free of problems created by the malicious ones requires knowing a lot about security. There'll also be additional resources in the last chapter of the book for more security resources that are beyond the scope of this book. We've touched on security in many places so far, now we'll summarize what you've learned all in one place and introduce some advanced techniques to make your site as secure as possible. Regardless of whether your site contains sensitive customer data or just your favorite recipes, you still don't want to log in to find your data missing or altered.</P>

</TD></TR></table>
<br>
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr><td><div STYLE="MARGIN-LEFT: 0.15in;">
<a href=learnphpmysql-CHP-13-SECT-3.html><img src="images/prev.gif" width="60" height="17" border="0" align="absmiddle" alt="Previous Page"></a>
<td align="right"><div STYLE="MARGIN-LEFT: 0.15in;">
<a href=learnphpmysql-CHP-13-SECT-5.html><img src="images/next.gif" width="60" height="17" border="0" align="absmiddle" alt="Next Page"></a>
</div></td></tr></table>
</body></html>
